在kubernetes組件中,master節(jié)點組件主要包括:kube-apiserver,kube-controller-manager,kube-scheduler等三個組件,每個組件功能職責分工不同,這里我們將三個組件部署在同一機器上,分別部署了三臺機器。
西藏ssl適用于網(wǎng)站、小程序/APP、API接口等需要進行數(shù)據(jù)傳輸應(yīng)用場景,ssl證書未來市場廣闊!成為創(chuàng)新互聯(lián)公司的ssl證書銷售渠道,可以享受市場價格4-6折優(yōu)惠!如果有意向歡迎電話聯(lián)系或者加微信:18980820575(備注:SSL證書合作)期待與您的合作!
#################### Variable parameter setting ######################
KUBE_NAME=kube-apiserver
K8S_INSTALL_PATH=/data/apps/k8s/kubernetes
K8S_BIN_PATH=${K8S_INSTALL_PATH}/sbin
K8S_LOG_DIR=${K8S_INSTALL_PATH}/logs
K8S_CONF_PATH=/etc/k8s/kubernetes
CA_DIR=/etc/k8s/ssl
SOFTWARE=/root/software
VERSION=v1.14.2
PACKAGE="kubernetes-server-${VERSION}-linux-amd64.tar.gz"
DOWNLOAD_URL=“”https://github.com/devops-apps/download/raw/master/kubernetes/${PACKAGE}"
ETCD_ENDPOIDS=https://10.10.10.22:2379,https://10.10.10.23:2379,https://10.10.10.24:2379
ETH_INTERFACE=eth2
LISTEN_IP=$(ifconfig | grep -A 1 ${ETH_INTERFACE} |grep inet |awk '{print $2}')
USER=k8s
SERVICE_CIDR=10.254.0.0/22
NODE_PORT_RANG=8400-9400
登陸devops機器,訪問kubernetes github 官方地址下載穩(wěn)定的 realease 包至本機;
wget $DOWNLOAD_URL -P $SOFTWARE
將kubernetes 軟件包分發(fā)到各個master節(jié)點服務(wù)器;
sudo ansible master_k8s_vgs -m copy -a "src=${SOFTWARE}/$PACKAGE dest=${SOFTWARE}/" -b
### 1.Check if the install directory exists.
if [ ! -d "$K8S_BIN_PATH" ]; then
mkdir -p $K8S_BIN_PATH
fi
if [ ! -d "$K8S_LOG_DIR/$KUBE_NAME" ]; then
mkdir -p $K8S_LOG_DIR/$KUBE_NAME
fi
if [ ! -d "$K8S_CONF_PATH" ]; then
mkdir -p $K8S_CONF_PATH
fi
### 2.Install kube-apiserver binary of kubernetes.
if [ ! -f "$SOFTWARE/kubernetes-server-${VERSION}-linux-amd64.tar.gz" ]; then
wget $DOWNLOAD_URL -P $SOFTWARE >>/tmp/install.log 2>&1
fi
cd $SOFTWARE && tar -xzf kubernetes-server-${VERSION}-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/$KUBE_NAME $K8S_BIN_PATH
ln -sf $K8S_BIN_PATH/$KUBE_NAM /usr/local/bin
chown -R $USER:$USER $K8S_INSTALL_PATH
chmod -R 755 $K8S_INSTALL_PATH
cd ${CA_DIR}
sudo ansible master_k8s_vgs -m copy -a "src=ca.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m copy -a "src=ca-key.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m copy -a "src=kubernetes.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m copy -a "src=kubernetes-key.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m copy -a "src=proxy-clinet.pem dest=${CA_DIR}/" -b、
sudo ansible master_k8s_vgs -m copy -a "src=proxy-client-key.pem dest=${CA_DIR}/" -b
cat>${K8S_CONF_PATH}/audit-policy.yaml<<EOF
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# The following requests were manually identified as high-volume and low-risk, so drop them.
- level: None
resources:
- group: ""
resources:
- endpoints
- services
- services/status
users:
- 'system:kube-proxy'
verbs:
- watch
- level: None
resources:
- group: ""
resources:
- nodes
- nodes/status
userGroups:
- 'system:nodes'
verbs:
- get
- level: None
namespaces:
- kube-system
resources:
- group: ""
resources:
- endpoints
users:
- 'system:kube-controller-manager'
- 'system:kube-scheduler'
- 'system:serviceaccount:kube-system:endpoint-controller'
verbs:
- get
- update
- level: None
resources:
- group: ""
resources:
- namespaces
- namespaces/status
- namespaces/finalize
users:
- 'system:apiserver'
verbs:
- get
# Don't log HPA fetching metrics.
- level: None
resources:
- group: metrics.k8s.io
users:
- 'system:kube-controller-manager'
verbs:
- get
- list
# Don't log these read-only URLs.
- level: None
nonResourceURLs:
- '/healthz*'
- /version
- '/swagger*'
# Don't log events requests.
- level: None
resources:
- group: ""
resources:
- events
# node and pod status calls from nodes are high-volume and can be large
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
users:
- kubelet
- 'system:node-problem-detector'
- 'system:serviceaccount:kube-system:node-problem-detector'
verbs:
- update
- patch
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
userGroups:
- 'system:nodes'
verbs:
- update
- patch
# deletecollection calls can be large, don't log responses for expected namespace deletions
- level: Request
omitStages:
- RequestReceived
users:
- 'system:serviceaccount:kube-system:namespace-controller'
verbs:
- deletecollection
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level.
- level: Metadata
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- secrets
- configmaps
- group: authentication.k8s.io
resources:
- tokenreviews
# Get repsonses can be large; skip them.
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
verbs:
- get
- list
- watch
# Default level for known APIs
- level: RequestResponse
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
# Default level for all other requests.
- level: Metadata
omitStages:
- RequestReceived
EOF
at >/usr/lib/systemd/system/${KUBE_NAME}.service<<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
User=${USER}
Type=notify
WorkingDirectory=${K8S_INSTALL_PATH}
EnvironmentFile=-${K8S_CONF_PATH}/${KUBE_NAME}
ExecStart=${K8S_BIN_PATH}/${KUBE_NAME} \\
--enable-admission-plugins=NodeRestriction \\
--bind-address=0.0.0.0 \\
--insecure-bind-address=${LISTEN_IP} \\
--insecure-port=8080 \\
--secure-port=6443 \\
--advertise-address=${LISTEN_IP} \\
--authorization-mode=Node,RBAC \\
--anonymous-auth=false \\
--runtime-config=api/all \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=${K8S_CONF_PATH}/token.csv \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--service-node-port-range=${NODE_PORT_RANG} \\
--requestheader-allowed-names="" \\
--requestheader-client-ca-file=${CA_DIR}/ca.pem \\
--requestheader-extra-headers-prefix="X-Remote-Extra-" \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--tls-cert-file=${CA_DIR}/kubernetes.pem \\
--tls-private-key-file=${CA_DIR}/kubernetes-key.pem \\
--client-ca-file=${CA_DIR}/ca.pem \\
--service-account-key-file=${CA_DIR}/ca.pem \\
--etcd-cafile=${CA_DIR}/ca.pem \\
--etcd-certfile=${CA_DIR}/etcd.pem \\
--etcd-keyfile=${CA_DIR}/etcd-key.pem \\
--etcd-servers=${ETCD_ENDPOIDS} \\
--delete-collection-workers=2 \\
--default-watch-cache-size=200 \\
--kubelet-certificate-authority=${CA_DIR}/ca.pem \\
--kubelet-client-certificate=${CA_DIR}/kubernetes.pem \\
--kubelet-client-key=${CA_DIR}/kubernetes-key.pem \\
--kubelet-https=true \\
--kubelet-timeout=10s \\
--proxy-client-cert-file=${CA_DIR}/proxy-client.pem \\
--proxy-client-key-file=${CA_DIR}/proxy-client-key.pem \\
--enable-aggregator-routing=true \\
--enable-swagger-ui=true \\
--allow-privileged=true \\
--apiserver-count=3 \\
--audit-log-mode=batch \\
--audit-log-truncate-enabled=true \\
--audit-log-batch-buffer-size=20000 \\
--audit-log-batch-max-size=3 \\
--audit-log-maxage=15 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=${K8S_LOG_DIR}/${KUBE_NAME}/audit.log \\
--audit-policy-file=${K8S_CONF_PATH}/audit-policy.yaml \\
--storage-backend=etcd3 \\
--max-mutating-requests-inflight=2000 \\
--max-requests-inflight=4000 \\
--event-ttl=168h \\
--alsologtostderr=true \\
--logtostderr=false \\
--log-dir=${K8S_LOG_DIR}/${KUBE_NAME} \\
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
關(guān)于 --requestheader-XXX 相關(guān)參數(shù),參考:
https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts
https://docs.bitnami.com/kubernetes/how-to/configure-autoscaling-custom-metrics/
注意:
###### Error from server (Forbidden): nodes.metrics.k8s.io is forbidden..
sudo systemctl status kube-apiserver |grep 'Active:'
確保狀態(tài)為 active (running),否則查看日志,確認原因:
sudo journalctl -u kube-apiserver
ETCDCTL_API=3 etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--cacert=/etc/k8s/ssl/ca.pem \
--cert=/etc/k8s/ssl/etcd.pem \
--key=/etc/k8s/ssl/etcd-key.pem \
get /registry/ --prefix --keys-only
kubectl cluster-info
在執(zhí)行 kubectl exec、run、logs 等命令時,apiserver 會將請求轉(zhuǎn)發(fā)到 kubelet 的 https 端口。這里定義 RBAC 規(guī)則,授權(quán) apiserver 使用的證書(kubernetes.pem)用戶名(CN:kuberntes)訪問 kubelet API 的權(quán)限:
kubectl create \
clusterrolebinding kube-apiserver:kubelet-apis \
--clusterrole=system:kubelet-api-admin \
--user kubernetes
kube-apiserver安裝完成,繼續(xù)安裝其他master組件:kube-controller-manager,具體安裝文檔請參考:kubernetes集群安裝指南:kube-controller-manager組件集群部署,關(guān)于kube-apiserver腳本請從此處獲??;
網(wǎng)頁標題:kubernetes集群安裝指南:kube-apiserver組件部署
分享路徑:http://muchs.cn/article20/jchpco.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供移動網(wǎng)站建設(shè)、微信公眾號、關(guān)鍵詞優(yōu)化、建站公司、軟件開發(fā)、企業(yè)網(wǎng)站制作
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)